Merge branch 'master' into codeigniter-http-route

Author: pablomartinezbernardo

.circleci/continue_config.yml

@@ -1250,6 +1250,89 @@ jobs:
             make -C appsec/build -j $(nproc) ddappsec_helper_test
             ./appsec/build/tests/helper/ddappsec_helper_test
 
+  fuzz_appsec_helper:
+    parameters:
+      resource_class:
+        type: string
+        default: medium
+    working_directory: ~/datadog
+    <<: *BARE_DOCKER_MACHINE
+    steps:
+      - <<: *STEP_CHECKOUT
+      - <<: *STEP_ATTACH_WORKSPACE
+      - restore_cache:
+          name: "Restore Cache"
+          keys:
+            - hunter-cache-ubuntu-<< parameters.resource_class >>-
+      - setup_docker:
+          docker_image: ubuntu:23.10
+      - run:
+          name: Install dependencies
+          command: |
+            export DEBIAN_FRONTEND=noninteractive
+            apt update
+            apt install -y wget llvm-17 clang-17 cmake make curl libcurl4-gnutls-dev git
+            ln -s /usr/bin/clang-17 /usr/bin/clang
+            ln -s /usr/bin/clang++-17 /usr/bin/clang++
+      - run: git config --global --add safe.directory /home/circleci/datadog/appsec/third_party/libddwaf
+      - run:
+          name: CMake
+          command: |
+            export CC=/usr/bin/clang-17
+            export CXX=/usr/bin/clang++-17
+            mkdir -p appsec/build ; cd appsec/build
+            cmake .. -DCMAKE_BUILD_TYPE=Debug -DDD_APPSEC_BUILD_EXTENSION=OFF \
+              -DHUNTER_ROOT=/home/circleci/datadog/hunter-cache
+      - run:
+          name: Build
+          command: make -C appsec/build -j $(nproc) ddappsec_helper_fuzzer corpus_generator
+      - run: mkdir -p appsec/tests/fuzzer/{corpus,results,logs}
+      - run:
+          name: Generate Corpus
+          command: |
+            cd appsec
+            rm -f tests/fuzzer/corpus/*
+            ./build/tests/fuzzer/corpus_generator tests/fuzzer/corpus 500
+      - run:
+          name: Run fuzzer in nop mode
+          command: |
+            export LLVM_PROFILE_FILE=off.profraw
+            cd appsec
+            ./build/tests/fuzzer/ddappsec_helper_fuzzer --log_level=off --fuzz-mode=off -max_total_time=60 -rss_limit_mb=4096 -artifact_prefix=tests/fuzzer/results/ tests/fuzzer/corpus/
+      - run:
+          name: Generate Corpus
+          command: |
+            cd appsec
+            rm -f tests/fuzzer/corpus/*
+            ./build/tests/fuzzer/corpus_generator tests/fuzzer/corpus 500
+      - run:
+          name: Run fuzzer in raw mode
+          command: |
+            export LLVM_PROFILE_FILE=raw.profraw
+            cd appsec
+            ./build/tests/fuzzer/ddappsec_helper_fuzzer --log_level=off --fuzz-mode=raw -max_total_time=60 -rss_limit_mb=4096 -artifact_prefix=tests/fuzzer/results/ tests/fuzzer/corpus/
+      - run:
+          name: Generate Corpus
+          command: |
+            cd appsec
+            rm -f tests/fuzzer/corpus/*
+            ./build/tests/fuzzer/corpus_generator tests/fuzzer/corpus 500
+      - run:
+          name: Run fuzzer in body mode
+          command: |
+            export LLVM_PROFILE_FILE=body.profraw
+            cd appsec
+            ./build/tests/fuzzer/ddappsec_helper_fuzzer --log_level=off --fuzz-mode=body -max_total_time=60 -rss_limit_mb=4096 -artifact_prefix=tests/fuzzer/results/ tests/fuzzer/corpus/
+      - run:
+          name: Generate coverage
+          command: |
+            cd appsec
+            llvm-profdata-17 merge -sparse *.profraw -o default.profdata 
+            llvm-cov-17 show build/tests/fuzzer/ddappsec_helper_fuzzer -instr-profile=default.profdata -ignore-filename-regex="(tests|third_party|build)" -format=html > fuzzer-coverage.html
+            llvm-cov-17 report -instr-profile default.profdata build/tests/fuzzer/ddappsec_helper_fuzzer -ignore-filename-regex="(tests|third_party|build)" -show-region-summary=false
+      - store_artifacts:
+          path: appsec/fuzzer-coverage.html
+
   integration_snapshots:
     working_directory: ~/datadog
     parameters:
@@ -4360,6 +4443,14 @@ workflows:
               - medium
               - arm.medium
 
+    - fuzz_appsec_helper:
+        requires: [ hunter_cache_ubuntu ]
+        matrix:
+          parameters:
+            resource_class:
+              - medium
+              - arm.medium
+
   profiling_tests:
     when: << pipeline.parameters.profiling >>
     jobs:

appsec/cmake/helper.cmake

@@ -1,6 +1,10 @@
 hunter_add_package(Boost COMPONENTS system)
 find_package(Boost CONFIG REQUIRED COMPONENTS system)
 
+hunter_add_package(RapidJSON)
+find_package(RapidJSON CONFIG REQUIRED)
+set_target_properties(RapidJSON::rapidjson PROPERTIES INTERFACE_COMPILE_DEFINITIONS "RAPIDJSON_HAS_STDSTRING=1")
+
 configure_file(src/helper/version.hpp.in ${CMAKE_CURRENT_SOURCE_DIR}/src/helper/version.hpp)
 
 set(HELPER_SOURCE_DIR src/helper)
@@ -14,7 +18,7 @@ set_target_properties(helper_objects PROPERTIES
     POSITION_INDEPENDENT_CODE 1)
 target_include_directories(helper_objects PUBLIC ${HELPER_INCLUDE_DIR})
 target_compile_definitions(helper_objects PUBLIC SPDLOG_ACTIVE_LEVEL=SPDLOG_LEVEL_TRACE)
-target_link_libraries(helper_objects PUBLIC libddwaf_objects pthread spdlog cpp-base64 msgpack_c lib_rapidjson Boost::system)
+target_link_libraries(helper_objects PUBLIC libddwaf_objects pthread spdlog cpp-base64 msgpack_c RapidJSON::rapidjson Boost::system)
 
 add_executable(ddappsec-helper src/helper/main.cpp
 	$<TARGET_OBJECTS:helper_objects>
@@ -49,7 +53,7 @@ if(DD_APPSEC_TESTING)
        # Testing and examples
        add_subdirectory(tests/helper EXCLUDE_FROM_ALL)
        #add_subdirectory(tests/bench_helper EXCLUDE_FROM_ALL)
-       #add_subdirectory(tests/fuzzer EXCLUDE_FROM_ALL)
+       add_subdirectory(tests/fuzzer EXCLUDE_FROM_ALL)
 
        if(DD_APPSEC_ENABLE_COVERAGE)
            target_compile_options(helper_objects PRIVATE --coverage)

appsec/src/helper/client.cpp

@@ -3,17 +3,18 @@
 //
 // This product includes software developed at Datadog
 // (https://www.datadoghq.com/). Copyright 2021 Datadog, Inc.
-#include "client.hpp"
-#include "exception.hpp"
-#include "network/broker.hpp"
-#include "network/proto.hpp"
-#include "std_logging.hpp"
 #include <chrono>
 #include <spdlog/spdlog.h>
 #include <stdexcept>
 #include <string>
 #include <thread>
 
+#include "client.hpp"
+#include "exception.hpp"
+#include "network/broker.hpp"
+#include "network/proto.hpp"
+#include "std_logging.hpp"
+
 using namespace std::chrono_literals;
 
 namespace dds {
@@ -28,7 +29,7 @@ bool maybe_exec_cmd_M(client &client, network::request &msg)
         if constexpr (sizeof...(Mrest) == 0) {
             SPDLOG_WARN(
                 "a message of type {} ({}) was not expected at this point",
-                msg.id, msg.method);
+                static_cast<unsigned>(msg.id), msg.method);
             throw unexpected_command(msg.method);
         } else {
             return maybe_exec_cmd_M<Mrest...>(client, msg);

appsec/src/helper/engine.cpp

@@ -203,14 +203,14 @@ engine::action_map engine::parse_actions(
     const auto &actions_array = it->value;
     if (actions_array.GetType() != rapidjson::kArrayType) {
         SPDLOG_ERROR("unexpected 'actions' type {}, expected array",
-            actions_array.GetType());
+            static_cast<unsigned>(actions_array.GetType()));
         return actions;
     }
 
     for (auto &action_object : actions_array.GetArray()) {
         if (action_object.GetType() != rapidjson::kObjectType) {
             SPDLOG_ERROR("unexpected action item type {}, expected object",
-                action_object.GetType());
+                static_cast<unsigned>(action_object.GetType()));
             continue;
         }
 

appsec/src/helper/subscriber/waf.cpp

@@ -177,7 +177,7 @@ std::optional<subscriber::event> instance::listener::call(
     ddwaf_result res;
     DDWAF_RET_CODE code;
     auto run_waf = [&]() {
-        code = ddwaf_run(handle_, data, &res, waf_timeout_.count());
+        code = ddwaf_run(handle_, data, nullptr, &res, waf_timeout_.count());
     };
 
     if (spdlog::should_log(spdlog::level::debug)) {
@@ -254,7 +254,7 @@ instance::instance(parameter &rule,
     }
 
     uint32_t size;
-    const auto *addrs = ddwaf_required_addresses(handle_, &size);
+    const auto *addrs = ddwaf_known_addresses(handle_, &size);
 
     addresses_.clear();
     for (uint32_t i = 0; i < size; i++) { addresses_.emplace(addrs[i]); }
@@ -302,7 +302,7 @@ instance::instance(
       ruleset_version_(std::move(version))
 {
     uint32_t size;
-    const auto *addrs = ddwaf_required_addresses(handle_, &size);
+    const auto *addrs = ddwaf_known_addresses(handle_, &size);
 
     addresses_.clear();
     for (uint32_t i = 0; i < size; i++) { addresses_.emplace(addrs[i]); }

appsec/tests/fuzzer/CMakeLists.txt

@@ -0,0 +1,21 @@
+if (CMAKE_CXX_COMPILER_ID STREQUAL "Clang" AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 13.0.0)
+    add_executable(ddappsec_helper_fuzzer ${HELPER_SOURCE} main.cpp mutators.cpp)
+    set_target_properties(ddappsec_helper_fuzzer PROPERTIES COMPILE_FLAGS "-fsanitize=fuzzer-no-link,address,leak -fprofile-instr-generate -fcoverage-mapping")
+    set_target_properties(ddappsec_helper_fuzzer PROPERTIES LINK_FLAGS "-fsanitize=fuzzer-no-link,address,leak -fprofile-instr-generate -fcoverage-mapping")
+    target_include_directories(ddappsec_helper_fuzzer PRIVATE ${HELPER_INCLUDE_DIR})
+
+    execute_process(
+        COMMAND ${CMAKE_CXX_COMPILER} -print-runtime-dir
+        OUTPUT_VARIABLE LLVM_RUNTIME_DIR
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+    )
+
+    execute_process(COMMAND uname -m COMMAND tr -d '\n' OUTPUT_VARIABLE ARCHITECTURE)
+
+    target_link_directories(ddappsec_helper_fuzzer PRIVATE ${LLVM_RUNTIME_DIR})
+    target_link_libraries(ddappsec_helper_fuzzer
+        PRIVATE libddwaf_objects pthread spdlog cpp-base64 msgpack_c lib_rapidjson Boost::system libclang_rt.fuzzer_no_main-${ARCHITECTURE}.a)
+
+    add_executable(corpus_generator corpus_generator.cpp)
+    target_link_libraries(corpus_generator PRIVATE helper_objects libddwaf_objects pthread spdlog)
+endif()